In many network environments, illegal or unauthorized users may exploit vulnerabilities in the network to gain access, deny access, or otherwise attack systems in the network. As such, to detect and remediate such network vulnerabilities, existing network security systems typically conduct vulnerability analysis in the network through manual inspection or network scans. For example, conventional network scanners (or “active vulnerability scanners”) typically send packets or other messages to various devices in the network and then audit the network with information contained in any response packets or messages received from the devices in the network. Accordingly, physical limitations associated with the network typically limit the effectiveness for active vulnerability scanners because only devices that can communicate with the active vulnerability scanners can be audited, while actively scanning networks distributed over large areas or having large numbers of devices may take long amounts of time. For example, in a network that includes multiple routers, hosts, and other network devices, an active vulnerability scanner would typically have to send packets that traverse several routers to scan the hosts and other network devices, some of which may be inactive and therefore inaccessible to the active vulnerability scanner. Further, in scenarios where one or more of the routers have firewalls that screen or otherwise filter incoming and outgoing traffic, the active vulnerability scanner may generate incomplete results because the firewalls may prevent the active vulnerability scanner from auditing hosts or other devices behind the firewalls.
Furthermore, active vulnerability scanners typically create audit results that become stale over time because the audit results describe a static state for the network at a particular point in time. Thus, an active vulnerability scanner would likely fail to detect that hosts have been added or removed from the network following a particular active scan, whereby the audit results that active vulnerability scanners create tend to steadily decrease in value over time as changes to the network occur. Furthermore, active vulnerability scanners can have the tendency to cause network disruptions during an audit. For example, probing network hosts or other devices during an audit performed by an active vulnerability scanner may result in communication bottlenecks, processing overhead, and instability, among other potential problems in the network. Thus, deployment locations, configurations, and other factors employed to manage networks can often interfere with obtaining suitable network auditing results using only active vulnerability scanners. As such, existing systems that tend to rely entirely on active vulnerability scanners typically prevent the active vulnerability scanner from obtaining comprehensive information that describes important settings, configurations, or other information associated with the network because many active vulnerability scanners only audit a network state at a particular point in time, except that suitably managing network security often requires further insight relating to real-time activity that occurs in the network.
For example, in many instances, certain hosts or devices may participate in sessions occurring on the network, yet the limitations described above can prevent active vulnerability scanners alone from suitably auditing the hosts or devices. As such, various existing network security systems employ one or more passive vulnerability scanners in combination with active vulnerability scanners to analyze traffic traveling across the network, which may supplement the information obtained from the active vulnerability scanners. However, even when employing passive vulnerability scanners in combination with active vulnerability scanners, the amount of data returned by the active vulnerability scanners and the passive vulnerability scanners can often be quite substantial, which can lead to difficulties in administrating the potentially large number of vulnerabilities and assets in the network because many network topologies may include hundreds, thousands, or even larger numbers of nodes, whereby suitably representing the network topologies in a manner that provides visibility into the network can be unwieldy. Furthermore, passive vulnerability scanners (like active vulnerability scanners) may have coverage gaps in that network traffic may not always include all data relevant to discovering network vulnerabilities (e.g., a passive vulnerability scanner may observe traffic that includes SSL data but be unable to determine what SSL version was used in the observed traffic, which may be relevant to determining whether the network may be susceptible to compromise due to supporting an SSL version having known vulnerabilities).
Although desktops, laptops, servers, applications, and other assets in a network can be configured to generate events or other log data that describes activity performed therewith, which may supplement data that any active vulnerability scanners and/or passive vulnerability scanners produce, existing solutions to correlate network events or log data tend to suffer from various limitations that interfere with detecting network vulnerabilities from such events or log data alone. Instead, to the extent that existing event and log correlation solutions may support vulnerability management, existing solutions tend to focus on whether the correlated events and/or log data describe activity that may be targeting or otherwise attempting to exploit known vulnerabilities that were previously detected using some other mechanism (e.g., an active and/or passive vulnerability scanning solution). Furthermore, even if an existing event or log data correlation solution could support vulnerability detection, adding such support would likely require vulnerability research teams and developers to expend substantial effort to rewrite, reformat, or otherwise redesign the code, data structures, and other information that correspond to known vulnerability data in a manner that the existing solution can digest. Accordingly, existing solutions to correlate network log data or other event information tend to have various limitations and drawbacks that interfere with the ability to suitably discover vulnerabilities and assets from such log data or event information and thereby complement active and/or passive vulnerability scans or otherwise provide alternate mechanisms that may be used to discover network assets and vulnerabilities from various network sources.